icebergnetworks.com

Managing Risk in a Shared Responsibility Environment

Shared Responsibilityis NOT Shared Risk!

November 11, 2019

Who am I?

2

MBA, CISSP30+ year history in security, technology, and management consulting, including

• Technology for Nuclear and Biomedical research• Information technology / Information security• Telecom software• Managed Security Services• Mergers, acquisitions, acquisition integration

Co-founder of Iceberg Networks – Solely focused on GRC program consulting and implementationSuper-power: I can peel labels off things (even those paper labels that fall apart)

icebergnetworks.com

What am I here to talk about?

Managing risk in a shared responsibility environmentThe differences between issue, risk, vulnerability, and uncertaintyThe complexities of assurance activitiesModels for managing the complexity

3 icebergnetworks.com

My GRC Digital Transformation DreamXXXXXXXX

Problem #1 – Shared Responsibilities

Tip: You can share responsibility, but you can’t share accountability.

Platform as a Service Software as a ServiceInfrastructure as a Service

Shared Responsibility Models

6

User Access / Identity

Data

Applications

Platform

Resource Abstraction and control

Hardware

Facility

Source: Canada.ca

User Access / Identity

Data

Applications

Platform

Resource Abstraction and control

Hardware

Facility

User Access / Identity

Data

Applications

Platform

Resource Abstraction and control

Hardware

Facility

Client Responsibility

Provider Responsibility

Shared Responsibility Model (AWS)

Source: https://aws.amazon.com/compliance/shared-responsibility-model/

Customer

Responsibility for security‘In’ the cloud

AWS

Responsibility for security‘of’ the cloud

Customer Data

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Client-side data encryption & data integrity

Authentication

Server-side encryption(File system and/or data)

Networking traffic protection

(Encryption, integrity, identity)

Software

Hardware/AWS Global Infrastructure

Compute Storage NetworkingDatabase

Regions Availability Zones Edge Locations

Responsibility = Controls

Customer

Responsibility for security‘In’ the cloud

AWS

Responsibility for security‘of’ the cloud

Customer Data

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Client-side data encryption & data integrity

Authentication

Server-side encryption(File system and/or data)

Networking traffic protection

(Encryption, integrity, identity)

Software

Hardware/AWS Global Infrastructure

Compute Storage NetworkingDatabase

Regions Availability Zones Edge Locations

AC

AT CM

PE

MP

MA

IR

IA

SCSI

Derived from: https://aws.amazon.com/compliance/shared-responsibility-model/

Shared Responsibility Model - Expanded

Derived from: https://aws.amazon.com/compliance/shared-responsibility-model/

Customer (IS/IT)

Responsibility for security‘In’ the cloud

AWS

Responsibility for security‘of’ the cloud

Customer Data

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Client-side data encryption & data integrity

Authentication

Server-side encryption(File system and/or data)

Networking traffic protection(Encryption, integrity,

identity)

Software

Hardware/AWS Global Infrastructure

Compute Storage NetworkingDatabase

Regions Availability Zones Edge Locations

Business Process

Customer Front-line Staff

Product / ServiceCustomer Product/Service

Owner

Responsibility for managing product/service risk (operational risk).

AC

AU

AT CM

PE

PS

MP

MA

IR

IA

CP

SCSI

RA SACA

Shared Responsibility Model – Expanded Again

Customer (IS/IT)

Responsibility for security‘In’ the cloud

AWS

Responsibility for security‘of’ the cloud

Customer Data

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Client-side data encryption & data integrity

Authentication

Server-side encryption(File system and/or data)

Networking traffic protection

(Encryption, integrity, identity)

Software

Hardware/AWS Global Infrastructure

Compute Storage NetworkingDatabase

Regions Availability Zones Edge Locations

Business Process

Customer Front-line Staff

Product / ServiceCustomer Product/Service

Owner

Responsibility for managing product/service risk.

PM* PL

Customer Executive/Board

Responsibility for managing Enterprise risk.

Portfolio Management

Corporate Governance

Internal AuditSecurity Program

AC

AU

AT CM

PE

PS

MP

MA

IR

IA

CP

SCSI

RA SACA

It’s Never That Simple

Source:FedRAMP System Security Plan (SSP)forOffice 365 MultiTenant (MT)

Microsoft Corporation

Authorization Boundary Diagram

Problem #2 – Control Selection

The Control Framework Problem

icebergnetworks.com13

Source Control Categories (Families)

Controls Provider Controls

NIST SP800-53 and FedRAMP(Moderate Baseline)

17 325 Self Selection

SOC 2 (System and Organization Controls)- AICPA Trust Services Criteria

13 69 69

SIG(Standardized Information Gathering)

16 1506 1506

GC PBMM Cloud Profile 17 469 335PCI DSS 13 246 246Privacy(eg Privacy Act, FIPPA, HIPPA, GDPR)

Various

Industry-Specific Compliance requirements(eg NERC CIP, OSFI Guidelines)

Various

Problem #3 – Risk Terminology

Risk Vocabulary

icebergnetworks.com15

Risk UncertaintyVulnerability

Communications Gaps

16

Elements of Risk

),,( VTAfRisk val=Source: Harmonized TRA Methodology

𝐴𝐴𝑣𝑣𝑣𝑣𝑣𝑣 = Asset Value𝑇𝑇 = 𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑉𝑉 = 𝑉𝑉𝑉𝑉𝑉𝑉𝑉𝑉𝑇𝑇𝑇𝑇𝑇𝑇𝑉𝑉𝑉𝑉𝑉𝑉𝑉𝑉𝑇𝑇𝑉𝑉

Risk vs Issue

18

Customer Data

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Client-side data encryption & data integrity

Authentication

Server-side encryption(File system and/or data)

Networking traffic protection

(Encryption, integrity, identity)

Software

Hardware/AWS Global Infrastructure

Compute Storage NetworkingDatabase

Regions Availability Zones Edge Locations

Business Process

Customer Front-line Staff

Product / Service

Portfolio Management

Corporate Governance

Internal AuditSecurity Program

Enterprise Risk

Operational Risk

Operational Risk

Issue

Issue

Issue

Issue

Issue

IssueIssue

Issue

Enterprise Risk

Business Assets

Secondary Assets

Risks

Issues / Vulnerabilities

Solution: GRC Systems

GRC Reference Model

icebergnetworks.com20

Culture

Key Objective

Strategy

Risk Appetite

Law Regulation Standard

Requirement

Policy

Procedure

Task

Control

Control Objective

Control Test

Maturity Criteria

AuditSurvey

Checklist

Audit Report Report

Evidence

Audit Finding

Issue

Risk

Business Process KPI

KRI

Action Plan

Recommendation

Risk Report

Compliance Report

Indicator

Source: Towards a Reference Model for Integrated Governance, Risk and Compliance. Vicente, Racz, Mira da Silva

UCF Reference Model

icebergnetworks.com21

RsResearch Sites

AdAuthorityDocs

CtCitations

AcAcronyms

GlGlossary

CdcDocs

RoRoles

MeMetrics

CeControls

AsAssets

ReRecExamples

CiConfigItems

CmConfigMethods

VeVendors

RcRecordCategory

OtOrgTasks

OfOrgFunctions

AuAudit

EvEvents

Source: Unified Compliance Framework

Controls Management Structure Implementation

ObjectivesComply with Security Industry Best Practices

Corporate Objectives

Area

Section

Policy Access Control

Policy

Passwords

Password Expiration

Master Control 1

Password Expiration

Master Controls

Regulations- ISO/IEC 27001: Password Use

- NIST 800-53: Password Use

Authoritative Sources

Procedure • Master Control 1 – Employee Computers• Master Control 1 – Internal DB Servers• Master Control 1 – External Contractor Computers

Control Procedures

Procedure

Technology Context Windows Server Baseline

Procedure

RequestsLinux Environment A doesn’t support automatic password expiration

Exception Requests

Control Generator

GRC Federation

23

CloudService

SC-7

AT-1PE-2

AC-3IA-2

AU-4

IA-4

AC-1

AU-1PS-1

Service/Application

Implementation details and test

results

SC-7AC-3IA-2

AU-4

IA-4

PoAM

PoAM

Vulnerabilities/Issues/Risks

“Confident business decision making requires compiling and analyzing risk data from a complex web of interrelated areas and disciplines.”

BOARD EXECUTIVE BUSINESS AUDIT REGULATOR

Integrated Risk Management Functions

Summary

• Security architecture can be a daunting task, but a systematic approach to security boundary definition will help

• Control allocation can result in 1000’s of interrelated data points that need to be managed

• Relationships between assets, threats, risks and controls are not linear and require tools to clearly measure, manage and communicate risk

• Poor communications can result in dramatic misunderstanding of risk

Thank you.icebergnetworks.com

References

• https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/government-canada-security-control-profile-cloud-based-it-services.html

• https://aws.amazon.com/compliance/shared-responsibility-model• https://www.microsoft.com/en-us/trustcenter/Compliance/fedramp• https://en.wikipedia.org/wiki/Governance,_risk_management,_and_complian

ce• https://www.unifiedcompliance.com/• https://fenix.tecnico.ulisboa.pt/downloadFile/395142791115/resumo.pdf

27 icebergnetworks.com